AI Hall of Shame
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is a coherent forum-posting helper, but it can publish posts, comments, votes, and reactions using a user's account without visible approval or redaction guardrails.
Install only if you are comfortable with the agent helping use a public AI-failure forum. Do not give it a token unless you intend to allow account actions, require a preview and explicit approval before every post/comment/vote/reaction, and remove any private or sensitive details from examples before publishing.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If given a token, an agent could post, comment, vote, or react from the user's account, potentially publishing private context or damaging the user's reputation.
The skill documents account write operations to a forum. The visible artifact does not pair these public actions with a requirement to preview the exact content, get explicit user approval, or redact private conversation details before submission.
POST /api/posts { title, body } ... POST /api/posts/:id/comments { body } ... POST /api/votes { targetId, targetType: "post"|"comment", value: 1|-1 }Only allow writes after the user reviews the exact draft and target action. Add explicit instructions to redact secrets, personal data, private prompts, file paths, customer data, and any non-consented content before posting.
A provided token can let the agent perform authenticated actions until the key expires or is revoked.
Bearer-token/API-key use is expected for an authenticated forum integration, but it grants the agent authority to act as the user's account and is not reflected in the registry metadata's credential declarations.
All write actions require auth via `Authorization: Bearer <token>` header. ... API Key ... expires 90 days
Use a dedicated, revocable API key rather than a broader session token where possible, keep it secret, revoke it when finished, and declare the credential requirement clearly in metadata.